Skip to content

Support Windows MDM secrets for GCP #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
robbiet480 wants to merge 5 commits into
base: main
Choose a base branch
from
+70 −12
Open

Support Windows MDM secrets for GCP #228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cc0913c
Add Windows MDM WSTEP secrets to GCP Terraform
robbiet480 Apr 17, 2026
0d6cb46
Add .DS_Store to .gitignore
robbiet480 Apr 17, 2026
a98a007
Use write-only secret_data_wo for Windows MDM secret versions
robbiet480 Apr 17, 2026
a3c54fd
Grant fleet SA secret accessor via for_each over all secrets
robbiet480 Apr 17, 2026
fd64963
Bump secret_data_wo_version to push updated WSTEP cert/key
robbiet480 Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
.DS_Store
.external_modules
.idea

.terraform
terraform.tfstate*
terraform.tfvars
*.key
*.crt
18 changes: 7 additions & 11 deletions gcp/byo-project/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,17 @@ resource "google_project_iam_member" "fleet_run_sa_monitoring_writer" {
}


resource "google_secret_manager_secret_iam_member" "fleet_run_sa_db_secret_access" {
project = var.project_id
secret_id = google_secret_manager_secret.database_password.id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.fleet_run_sa.email}"

depends_on = [google_secret_manager_secret.database_password]
}
resource "google_secret_manager_secret_iam_member" "fleet_run_sa_secret_access" {
for_each = local.fleet_secrets_env_vars

resource "google_secret_manager_secret_iam_member" "fleet_run_sa_private_key_secret_access" {
project = var.project_id
secret_id = google_secret_manager_secret.private_key.id
secret_id = each.value.secret
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.fleet_run_sa.email}"

depends_on = [google_secret_manager_secret.private_key]
depends_on = [
google_secret_manager_secret.database_password,
google_secret_manager_secret.private_key,
]
}

48 changes: 47 additions & 1 deletion gcp/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,59 @@ module "project_factory" {
labels = var.labels
}

resource "google_secret_manager_secret" "mdm_wstep_cert" {
project = module.project_factory.project_id
secret_id = "fleet-mdm-wstep-identity-cert"
replication {
auto {}
}
}

resource "google_secret_manager_secret_version" "mdm_wstep_cert" {
secret = google_secret_manager_secret.mdm_wstep_cert.name
secret_data_wo = var.windows_mdm_wstep_identity_cert
secret_data_wo_version = 2
}

resource "google_secret_manager_secret" "mdm_wstep_key" {
project = module.project_factory.project_id
secret_id = "fleet-mdm-wstep-identity-key"
replication {
auto {}
}
}

resource "google_secret_manager_secret_version" "mdm_wstep_key" {
secret = google_secret_manager_secret.mdm_wstep_key.name
secret_data_wo = var.windows_mdm_wstep_identity_key
secret_data_wo_version = 2
}

locals {
windows_mdm_secret_env_vars = {
FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES = {
secret = google_secret_manager_secret.mdm_wstep_cert.secret_id
version = "latest"
}
FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES = {
secret = google_secret_manager_secret.mdm_wstep_key.secret_id
version = "latest"
}
}
}

module "fleet" {
source = "./byo-project"
project_id = module.project_factory.project_id
dns_record_name = var.dns_record_name
dns_zone_name = var.dns_zone_name
vpc_config = var.vpc_config
fleet_config = var.fleet_config
fleet_config = merge(var.fleet_config, {
extra_secret_env_vars = merge(
coalesce(var.fleet_config.extra_secret_env_vars, {}),
local.windows_mdm_secret_env_vars,
)
})
cache_config = var.cache_config
database_config = var.database_config
region = var.region
Expand Down
12 changes: 12 additions & 0 deletions gcp/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@ variable "project_name" {
default = "fleet"
}

variable "windows_mdm_wstep_identity_cert" {
description = "PEM-encoded certificate for Windows MDM WSTEP identity (FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES)"
type = string
sensitive = true
}

variable "windows_mdm_wstep_identity_key" {
description = "PEM-encoded private key for Windows MDM WSTEP identity (FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES)"
type = string
sensitive = true
}

variable "org_id" {
description = "organization id"
}
Expand Down
Loading